New Spear Phishing Campaign Pretends to be EFF

Update 01/28/16: EFF now controls the Electronicfrontierfoundation.org domain and that URL currently redirects to this blog post. If you arrived at this page via a link in a message that may have been phishing, please let us know and we will investigate.

Google's security team recently identified a new domain masquerading as an official EFF site as part of a targeted malware campaign. That domain, electronicfrontierfoundation.org, is designed to trick users into a false sense of trust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets were. The domain was registered on August 4, 2015, under a presumably false name, and we suspect that the attack started on the same day. At the time of this writing the domain is still serving malware.

The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts). The attacker, now able to run any code on the user's machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer.

We were able to recover the following samples of the malicious Java code from electronicfrontierfoundation.org.

Filename

MD5 Sum

SHA1 Sum

App.class

0c345969a5974e8b1ec6a5e23b2cf777

95dc765700f5af406883d07f165011d2ff8dd0fb

Go.class

25833224c2cb8050b90786d45f29160c

df5f038d78f5934bd79d235b4d257bba33e6b3

The decompiled Java for App.class

The decompiled Java for App.class

The Go.class applet bootstraps and executes App.class, which contains the actual attack code. The App.class payload exploits the same Java zero-day reported by Trend Micro and then downloads a second stage binary, internally called cormac.mcr, to the user's home directory and renames it to a randomly chosen string ending in `.exe`. Interestingly, App.class contains code to download a *nix compatible second stage binary if necessary, implying that this attack is able to potentially target Mac or Linux users.

Unfortunately we weren't able to retrieve the second stage binary, however this is the same path and filename that has been used in other Pawn Storm attacks, which suggests that it is likely to be the same payload: the malware known as Sednit. On Windows, the Sednit payload is downloaded to the logged-in user's home directory with a randomly generated filename and executed. On running it hooks a variety of services and downloads a DLL file. The DLL file is executed and connects to a command and control server where it appears to verify the target and then execute a keylogger or other modules as may be required by the attacker.

Because this attack used the same path names, Java payloads, and Java exploit that have been used in other attacks associated with Pawn Storm, we can conclude that this attack is almost certainly being carried out by the same group responsible for the rest of the Pawn Storm attacks. Other security researchers have linked the Pawn Storm campaign with the original Sednit and Sofacy targeted malware campaigns–also known as “APT 28”–citing the fact that they use the same custom malware and have similar targets. In a 2014 paper the security company FireEye linked the “APT 28” group behind Sednit/Sofacy with the Russian Government (PDF) based on technical evidence, technical sophistication, and targets chosen. Drawing from these conclusions, it seems likely that the organization behind the fake-EFF phishing attack also has ties to the Russian government. Past attacks have targeted Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. We do not know who the targets were for this particular attack, but it does not appear that it was EFF staff.

The phishing domain has been reported for abuse–though it is still active, and the vulnerability in Java has been patched by Oracle. Of course this is an excellent reminder for everyone to be vigilant against phishing attacks. Our SSD guide contains advice on how to improve your security, watch for malicious emails, and avoid phishing attacks such as this one.

Related Updates

Apple CEO Tim Cook, Alphabet CEO Larry Page, and 10 other technology company leaders trooped to Trump Tower in New York this week, where the President-elect told them they were “amazing” and said, “I’m here to make you folks do well.” He pledged to do “anything we...

For the fifth day of the 12 Days of 2FA, we turn to the world’s largest social media platform: Facebook. Facebook calls its two-factor authentication “Login Approvals,” but the idea is exactly the same: signing in from a new browser will require something you have (like your phone) as...

A court in Florida has said a suspected voyeur can be made to reveal his iPhone passcode to investigators.T he defendant was arrested after a woman out shopping saw a man crouch down and aim what she believed was a smartphone under her skirt. The decision was criticised by senior...

Cindy Cohn has a lot to do. The bespectacled 53-year-old civil rights lawyer has her hands full in her new job overseeing the digital advocacy work of the Electronic Frontier Foundation, a sort of ACLU for the tech set. Now there’s an extra sense of urgency. “Until the new administration...

Consider AT&T, the telecommunications giant. Police departments across the country pay it as much as $100,000 a year for special access to the telephone records of its clients (without first obtaining a warrant). The program is called “Hemisphere” and the company requires buyers to keep its existence secret. The...

The last email service we’ll cover in the 12 Days of 2FA is Outlook.com. If we haven’t covered your email service here, check twofactorauth.org’s more extensive list of email platforms that offer two-factor authentication. If you only enable 2FA for one account, email is a good choice...

Technology company leaders are reportedly meeting with President-elect Donald Trump and members of his transition team tomorrow in New York. Mr. Trump’s relationship with technology companies has been frosty, and his statements during the campaign and recent cabinet picks raise serious concerns about the...

For the first few days of the 12 Days of 2FA, we’ll focus on two-factor authentication for email. When you forget or lose your password, services will often email you to confirm your identity and reset it. This makes email the golden key to all of your other...